Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Car Hacking Concerns On the Rise

Soulskill posted more than 2 years ago | from the except-among-car-manufacturers dept.

Transportation 95

Pat Attack writes "I think most of the people who read Slashdot know that if it has circuitry, it can be hacked. Well, the good folks over at CNN have an article about the potential for your car to be hacked. This article lists the potential damage that could be done, proof of concept work, as well as a few scary scenarios. 'With vehicles taking up to three years to develop, [security strategist Brian Contos] says manufacturers will struggle to keep abreast of rapidly-evolving threats unless they organize regular software updates. Instead, he says, any installed technology should be given a so-called "white list" of permissible activities beyond which any procedures are blocked.' My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe."

Sorry! There are no comments related to the filter you selected.

Will be worse with self-driving cars (5, Interesting)

MrEricSir (398214) | more than 2 years ago | (#39226521)

Car hacking is bad. Botnets are bad. But what about a botnet of autonomous vehicles?

Imagine owning a botnet of cars you could command to drive anywhere at any time. You could effectively close a highway or a bridge, prevent emergency response teams from getting to a destination, or switch the cars into some kind of "Carmageddon" mode where they target pedestrians.

Yeah, we'd be pretty much fucked if this happened.

Re:Will be worse with self-driving cars (0)

Anonymous Coward | more than 2 years ago | (#39226533)

Do we need to fear Were-Cars too? The title is right. Concerns are on the rise, actually hacking isn't.

Re:Will be worse with self-driving cars (1)

JoeMerchant (803320) | more than 2 years ago | (#39226549)

Car flash-mob! Well, not until we have Google driving for us.

Re:Will be worse with self-driving cars (3)

TheRealMindChild (743925) | more than 2 years ago | (#39226559)

Just because the software for a system can be compromised doesn't mean that you can make it grow legs and breath fire

Re:Will be worse with self-driving cars (0)

Anonymous Coward | more than 2 years ago | (#39226949)

Yes you can!
http://www.youtube.com/watch?v=X4SCSGRVAQE

Re:Will be worse with self-driving cars (1)

Anonymous Coward | more than 2 years ago | (#39228655)

We can't always have everything, but they are still full of useful features. Even if you don't subscribe, some can turn on your OnStar system to see if your dog sounds healthy. They check your speed to give you insurance discounts, a chance to help fund public safety, or offer you a special on comedic driver education. They'll even check the RFIDs in the rubber as you drive by to help digital billboards greet you by name, make offers of interest to you, keep track of you in case you get lost, and assign the best routes based on current organ donor opportunities. And if you're ever under the control of aliens, your car can be remotely stopped so that you can get prompt brain surgery. If you got the flu shot rewards-chip special, you can get two lobes done for the price of one.

Driving it is dangerous enough (4, Interesting)

MrEricSir (398214) | more than 2 years ago | (#39229257)

If I can set the car to drive anywhere I want and disable safety features, isn't that dangerous enough?

So far, those who have insisted their software's security is perfect have a very, very bad track record.

Re:Will be worse with self-driving cars (3, Funny)

AarghVark (772183) | more than 2 years ago | (#39226573)

It's called a Wall-of-Traffic. I believe it is a 10/5 artifact with Trample. Requires 8 mana of any color to cast.

Re:Will be worse with self-driving cars (0)

Anonymous Coward | more than 2 years ago | (#39226665)

Yeah. Odd that they gave a wall trample, since they can't attack.

I guess you'll just have to cast Rolling Stones first.

Re:Will be worse with self-driving cars (0)

Anonymous Coward | more than 2 years ago | (#39229483)

It's called a Wall-of-Traffic. I believe it is a 10/5 artifact with Trample. Requires 8 mana of any color to cast.

Silly. Trample would be wasted on a wall. they can't attack. (Unless there's an enchantment, artifact or creature ability making it otherwise.)

Re:Will be worse with self-driving cars (1)

philip.paradis (2580427) | more than 2 years ago | (#39226575)

Tanks are good at getting rid of cars. I sure hope any occupants get clear in time.

Re:Will be worse with self-driving cars (1)

Nikker (749551) | more than 2 years ago | (#39227885)

But how do we get rid of the tanks?

Re:Will be worse with self-driving cars (1)

philip.paradis (2580427) | more than 2 years ago | (#39228749)

With precision guided munitions, naturally.

Re:Will be worse with self-driving cars (1)

228e2 (934443) | more than 2 years ago | (#39229341)

But how will be get rid of the munitions???

Re:Will be worse with self-driving cars (1)

philip.paradis (2580427) | more than 2 years ago | (#39229383)

With carpet bombing, naturally.

Re:Will be worse with self-driving cars (1)

DnaK (1306859) | more than 2 years ago | (#39226757)

You watched "Maximum Overdrive" again didn't you!

Re:Will be worse with self-driving cars (1)

I Read Good (2348294) | more than 2 years ago | (#39226867)

You should read the book Daemon. It has this.

Re:Will be worse with self-driving cars (1)

zparsons (967468) | more than 2 years ago | (#39227141)

You should read the book Daemon. It has this.

That's what I found so scary and fascinating about Daemon. Self-driving cars as weapons (and many of the other things Sobol did) seem quite plausible.

Re:Will be worse with self-driving cars (-1)

Anonymous Coward | more than 2 years ago | (#39227003)

You are a clueless idiot who has no grasp of what cars
can and cannot do.

Do the world a favor and kill yourself.

Re:Will be worse with self-driving cars (1)

sixsixtysix (1110135) | more than 2 years ago | (#39227221)

but it would be sooo awesome

This article is scant on details and you ... (0)

Anonymous Coward | more than 2 years ago | (#39227731)

don't know what you're talking about and you sound like an idiot.

And the mods are idiots.

You see, a car is a CAN. That's all. And it's a bitch to break into it.

'Nuff said.

PS, most of you don't know what the fuck I'm talking about.

Re:Will be worse with self-driving cars (1)

228e2 (934443) | more than 2 years ago | (#39229347)

Nah, this is precisely why the Autobots have stuck around.

Optimus Prime wouldnt allow that on his watch.

Re:Will be worse with self-driving cars (0)

Anonymous Coward | more than 2 years ago | (#39229507)

I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe."

or you walk outside to find your car gone, or it gained a mind of its own and wanted to take a stroll down the block...

Re:Will be worse with self-driving cars (1)

ThatsMyNick (2004126) | more than 2 years ago | (#39229773)

Dude, did you hear about those new computer-controlled airliners that can fly themselves (aka Autopilot)? They will become sitting ducks in the sky, waiting to be hacked. Just imagine what a botnet of these airplanes can do? Can you even count the number of 9/11's that can be caused simultaneously around the world?

Mod Parent UP!! (0)

Anonymous Coward | more than 2 years ago | (#39229789)

Mod Parent UP!!

Re:Will be worse with self-driving cars (1)

MrEricSir (398214) | more than 2 years ago | (#39234093)

I wouldn't worry so much about that, since autopilot systems are relatively simple and don't necessarily involve general purpose computers at all.

But the engines, on the other hand... [itworld.com]

This was done.. (0)

Anonymous Coward | more than 2 years ago | (#39231573)

See the novel series Daemon by Daniel Suarez:

http://en.wikipedia.org/wiki/Daemon_(technothriller_series)

The whitelist (1)

Anonymous Coward | more than 2 years ago | (#39226523)

any installed technology should be given a so-called "white list" of permissible activities beyond which any procedures are blocked.'

They have such a list. It's called "an instruction set" and is contained in a piece of hardware called a CPU.

Re:The whitelist (0)

Anonymous Coward | more than 2 years ago | (#39226743)

If you're trying to refer to how car computers don't need much power, that isn't necessarily true. The car computer is getting more and more popular, having to read your music library, ridiculous 3D GPS maps, possibly the ability to playback video, and so on. Basically keep them as a means of entertainment and connectivity with not many options on anything else. My car for example, can read me text messages I get while driving. That's pretty neat, but the system is quite limited in functionality, so it would make sense to want to keep it that way for the sake of security, but technology advances and you simply have to address the issues.

Just keep the locked down so you don't have people porting Android or Ubuntu to their cars. How dangerous would it be to throw Ubuntu on your cars computer anyway? Aside from attempting to use it while driving. I don't really understand this, but i'm sure viruses and such (downloading your phonebook via. car computer virus) could exist with current technology. Only a risk to your information, not exactly any safety features of the car.

Re:The whitelist (1)

WillgasM (1646719) | more than 2 years ago | (#39226907)

I think he's referring to the idea that you can't make it do something that it can't already do. Why would you give it the ability to do things you never want it to do in the first place. It's the proverbial "way too damn fast" setting.

My 3rd party ECU is feeling better all the time... (1)

JoeMerchant (803320) | more than 2 years ago | (#39226539)

It is possible, and even practical in some cases, to replace the ECU with another device, e.g. http://en.wikipedia.org/wiki/MegaSquirt [wikipedia.org]

If you're paranoid, you too can spend hundreds of hours changing out your ECU and tuning the new one - then it won't be vulnerable to the standard attacks, though it will probably be vulnerable to others.

Re:My 3rd party ECU is feeling better all the time (2)

stms (1132653) | more than 2 years ago | (#39226921)

The best solution is to have a manual overrid (that the computer cannot control) in all cars with self driving capabilities. That way if the driver notices anything funny they can go into manual mode. Of course that defeats the biggest benefit of self-driving cars you can't be sleeping, drunk ect. at the wheel.

Re:My 3rd party ECU is feeling better all the time (0)

Anonymous Coward | more than 2 years ago | (#39227763)

IMO, this is probably what is eventually going to happen. Is that a car will have operate in "dumb mode" and "smart mode"

In "smart mode" the computer has direct linkage into all the car parameters and, could in theory be driven remotely by police and 911 operators.
In "dumb mode" the computer is disengaged from all sensors ("eg driving blind") and is disengaged from the accelerator and ignition.

So in theory if the car is mis-behaving you switch it from smart to dumb mode, and operates somewhat crippled (eg no cruise control, no auto-parallel park, no collision avoidance.)

We won't be going back to pre-fuel-injection systems anytime never. Though in my opinion there should be some non-computerized choices out there, something other than a moped. These would basically be land-yacht types that have an external beacon installed to warn automated cars around it that it's not automated and to keep some distance.

Re:My 3rd party ECU is feeling better all the time (1)

drkstr1 (2072368) | more than 2 years ago | (#39229397)

I've always envisioned automated driving working more like a "turn signal system." Hitting the right turn signal would change your lane to the right as soon as safely possible, or take the next right turn if applicable. Hitting the stop button will pull you into the next available parking spot, or pull you over to the side of the rode if on a highway. I don't see myself, or others really, being very willing to give themselves over to a fully automated system, except for the most menial of tasks (like pulling out of an apartment complex, parallel parking, changing lanes, etc.)

Security versus features... (1)

Anonymous Coward | more than 2 years ago | (#39226591)

The ideal is going back to separating hardware modules. However, as people want more features, having one component be able to access another is going to be a must.

We can play with security additions all we want, but the only real protection is compartmentalization. The radio does not need on the same CANBUS as the drive-by wire throttle and brake system for example.

Re:Security versus features... (1)

Anonymous Coward | more than 2 years ago | (#39226879)

Yeah, but it makes it so much easier for brand lock-in, doesn't it? If my SAAB's radio dies, I have to go to the dealer to get a new radio "married" to the TWICE unit. Want to sell me a used SAAB radio? You need to get it "divorced" from your car, else I can't use it. Lose both your transponder keys? You need a new TWICE unit and new transponder keys programmed to work with the ECU ($1600+). Want to do this yourself? You can't! $4k for a basic CANBUS and CANDi, then an act of god to get the software from SAAB and virtually impossible to get authentication keys for each programming change. Apple wishes they had it so good! I can flash the ECU to tune the engine, but as far as the system as a whole goes, that's still closed. I dread losing my key or having the TWICE go on the blink.

Re:Security versus features... (1)

couchslug (175151) | more than 2 years ago | (#39226961)

There is good reason such makes go for very little at dealer auctions because they are horribly expensive to repair.

Re:Security versus features... (1)

Pentium100 (1240090) | more than 2 years ago | (#39227797)

The more I read about new cars, the more I like my old car.

For example, the tape deck is connected to my car by a few wires - power, antenna, speakers. That's it. No configuration, nothing. If I want, I can take the tape deck out of my car, connect it to a 12V power supply and some speakers and listen to the music.

There are no computers in my car at all - no need to worry about software bugs or failing EPROMs, just check once in a while if all the linkages etc are not worn out or rusted.

Re:Security versus features... (1)

fast turtle (1118037) | more than 2 years ago | (#39228193)

And this is why I absolutely refuse to give up my 65. It's got absolutely no electronics that I didn't install nor does it require them to operate safely and efficiently and I didn't have to invest into $30+k worth of tools to fix the damn thing when something breaks.

Currently, the only electronics installed are the LED rear tail light and front turn signal bulbs, drop in electronic ignition module (replaced the points/condensor) HID head lamps and the invertor I use to charge my laptop when traveling. Don't have a DC cord for it and don't need one as I've already got the normal power brick.

Re:Security versus features... (2)

viperidaenz (2515578) | more than 2 years ago | (#39229611)

I hope you replaced the reflectors in your headlights when you put in HID bulbs.

Hardware hacking (0)

Anonymous Coward | more than 2 years ago | (#39226611)

Cutting the break lines was an effective hack (at least in TV shows).

Re:Hardware hacking (1)

Pentium100 (1240090) | more than 2 years ago | (#39227859)

Cutting the brake lines can be effective, but only if the target needs to stop very fast (a moose runs out on the road etc). Otherwise you can downshift (if the car has a manual transmission) to brake with the engine and then turn the engine off to stop. At least it would greatly reduce the impact.

Re:Hardware hacking (1)

Sulphur (1548251) | more than 2 years ago | (#39229523)

Cutting the brake lines can be effective, but only if the target needs to stop very fast (a moose runs out on the road etc). Otherwise you can downshift (if the car has a manual transmission) to brake with the engine and then turn the engine off to stop. At least it would greatly reduce the impact.

There is a gizmo called a proportioning valve that partially prevents that. Each brake gets a certain amount of pressure and the one with the cut line gets no pressure and leaking brake fluid. After a few stops, the loss of brake fluid will be a problem, but the car stops well enough before then.

Re:Hardware hacking (1)

viperidaenz (2515578) | more than 2 years ago | (#39229619)

... unless you cut all 4 lines

Re:Hardware hacking (1)

Sulphur (1548251) | more than 2 years ago | (#39229697)

... unless you cut all 4 lines

Someone should mod you up. Just because my tired ass was saved doesn't mean everyone is safe.

Re:Hardware hacking (1)

sjames (1099) | more than 2 years ago | (#39229747)

You can even downshift to some extent in an automatic. You also have the emergency brake.

Re:Hardware hacking (0)

Anonymous Coward | more than 2 years ago | (#39249115)

Hacking the break lines in half was an effective hack (at least in TV shows).

FTFY

Developing vehicles in danger? (1)

Crasoose (1621969) | more than 2 years ago | (#39226613)

'With vehicles taking up to three years to develop, [security strategist Brian Contos] says manufacturers will struggle to keep abreast of rapidly-evolving threats unless they organize regular software updates." What? What does he mean? Why should it be any problem while it is still being developed? Unless It's a hardware hack I don't see how it should have any trouble receiving updates while it is still being made, more so after it has been released and updates are done via the internet which is much more scary.

Re:Developing vehicles in danger? (1)

Charliemopps (1157495) | more than 2 years ago | (#39226747)

Because auto-manufacturers, especially in the US and Japan, still think it's 1955. They turn slower than the Titanic. They're all racing each other to get fancier and fancier add-ons to their cars, and don't want to be seen as the dinosaurs that they really are. So what are they doing? They're outsourcing all these computerized add-ons to the lowest bidder. They don't have a clue how they work, and don't have a clue what kind of security risk they pose. The schematics and software is all closed source so they don't have a clue. Meanwhile they're letting these little black boxes that contain god knows what, have access to the breaks, engine, locks, even the steering of the car. The potential for a "If speed > 70mph then Steering += 90 degrees" scenario is growing every day. It's not a matter of if it happens, it's a matter of when.

Re:Developing vehicles in danger? (1)

JeanCroix (99825) | more than 2 years ago | (#39240821)

I consider my 1955 automobile extremely unhackable, actually. At least by the modern methods described here. It has circuits, but they're all analog. And 6V. And positive ground.

Carmageddon!!! (0)

Anonymous Coward | more than 2 years ago | (#39226615)

Yeah, just look on YouTube for "Carmageddon" and enjoy. Although, I seriously doubt that 'wheel friction' could ever be set to -9 in the real world...

Best hacking prevention (1)

neonv (803374) | more than 2 years ago | (#39226653)

Hacking without physical access requires a network. If you don't want your car hacked, don't link it to the network. It's the tried and true way to prevent hacking. Cars have had computers in them for a long time, but they don't get hacked because they're generally not connected to any networks.

Re:Best hacking prevention (1)

HereIAmJH (1319621) | more than 2 years ago | (#39232957)

Cars have had computers in them for a long time, but they don't get hacked because they're generally not connected to any networks.

If you have OnStar, you're connected to a network. A network that is indirectly connected to the Internet. And every brand is pushing their own version of OnStar. Watch some of the new car commercials, lock/unlock and start your car from your cell phone or laptop, etc. Car designers need to be thinking about firewalls, system separation, and sandboxing all code execution to enforce limitations on critical parameters.

Not only do they need to be limiting how much changes can be made to operating parameters, they need to control data leakage as well. It's bad enough that the government can track your every movement. It can be much worse for other people to have that information.

But we've been fighting the same exploits in IT for well over 2 decades (buffer overflows, sql injections), I don't expect the auto industry to do any better.

This is your mom (1)

cvtan (752695) | more than 2 years ago | (#39226655)

Your car with bluetooth is unsafe.

Re:This is your mom (1)

Randseed (132501) | more than 2 years ago | (#39228051)

I always liked cracking the lame-ass security that is usually used and send "messages from God" over the audio system in the car next to mine. It's hilarious.

eh... where is the logic? (0)

Anonymous Coward | more than 2 years ago | (#39226687)

Where is the logic in an automotive manufacture making the braking or acceleration functions remotely controlled? At what point would an end consumer ever need to make their car accelerate via a retarded iPhone app? I really don't see the concern here. It is more like trying to tie some very loose ends together and creating a FUD article.

At best, a hacker may overtake your Bluetooth connection and cause you to listen to some crappy bubble gum pop over the radio.

Re:eh... where is the logic? (2)

jc42 (318812) | more than 2 years ago | (#39228891)

Where is the logic in an automotive manufacture making the braking or acceleration functions remotely controlled? ...

Actually, the logic is quite simple, from a manufacturer's viewpoint. In much of the world, including the US, it's illegal (for about the past half century, depending on country) to make the mechanical parts a "black box" that can only be repaired by manufacturer-approved mechanics. But those laws don't apply to computerized equipment. So anything that can be computerized becomes a part that you must take to the dealer's shop for repairs. They'll tell you what's wrong, and how much you'll have to pay to get your car back in a usable condition. This means huge profits for the authorized dealers.

In another decade or so, new cars will be completely computer-controlled, independent auto mechanics will be out of business, and you'll be paying a lot more to keep your car running than you do now.

Check back in 10 years to see how much of a prophet I am. ;-)

(Actually, this isn't my prophecy at all. Lots of others have predicted the same thing. The auto makers aren't trying to deny it.)

Re:eh... where is the logic? (2)

Pentium100 (1240090) | more than 2 years ago | (#39229363)

And the dealers rip you off.

A 2003 Nissan Primera P12 (not mine) turned on the "check engine" light. As I am only familiar with my 1982 car (which is much different from the Nissan, there is no "check engine" light for one), the car was taken to the dealer. The dealer said that the timing chain is stretched (a common problem for these cars) and that it is cheaper to replace the whole engine. The cost: ~1500EUR. However, instead of paying it, we took the car to the mechanic that repairs the engine on my car when something breaks or the carburetor needs tuning or valves need adjustment. He found out that the crankshaft position sensor was broken, not the chain. Repair cost: ~180EUR, 150 of which was the cost of the sensor. Oh, and we had to pay 170EUR to the dealer for the diagnostic (which was wrong).

On the other hand, any mechanic who know how a carburetor works can repair my car, because most of the time problems will be simple - something bent, broken or worn out.

OP doesn't know what Luddite means (0)

Anonymous Coward | more than 2 years ago | (#39226715)

Go read a dictionary.

The solution is #NO CARRIER# (5, Funny)

sunwukong (412560) | more than 2 years ago | (#39226787)

My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe.

Assure her it's nonsense and that you even wear a Bluetooth headset.

Then scream, play a recording of Soundwave, and hang up.

Somebody will have to die... (1)

czmax (939486) | more than 2 years ago | (#39226803)

...before anything is seriously done about this.

Until then it will be business as usual. And unfortunately when some script kiddie kills somebody it won't make the news. I worry that this sort of thing won't get fixed until a major "breaking news story" about hundreds of cars running off the road plays out. Only then will it matter.

An optimistic alternative option is that the 'fear mongering' media run with this sufficiently to make it a big issue. This one of the times when the media's bias towards scary news stories can help society.

Re:Somebody will have to die... (0)

Anonymous Coward | more than 2 years ago | (#39226979)

Seems to that bugs in the firmware (and in the specs for the firmware) are as great a problem as hacking. Like the Toyota issues of a couple of years ago.

Christine Lives! (0)

Anonymous Coward | more than 2 years ago | (#39226849)

I knew that movie was real!

That's nothing (0)

Anonymous Coward | more than 2 years ago | (#39226899)

I live in fear that someone download my car.

A bigger threat (4, Interesting)

dmomo (256005) | more than 2 years ago | (#39226963)

Is how these updates will be applied:

1) Automatically via some wireless service. Bad idea. I'd hate to even go there.
2) In authorized service centers. This is scary because, the auto manufacturer will be able to warn us from going to non-authorized dealers, saying it's a security issue on top of a quality issue. We've already ran into these kinds of issues [righttorepair.org] . It's come up before here on Slashdot [slashdot.org] .

Re:A bigger threat (0)

Anonymous Coward | more than 2 years ago | (#39228073)

#2 is already what happens. Manufacturers have been flashing firmware updates to the TCM, BCM, ECU, etc for years.

Just look at the most recent recall for the 08-10 CRVs and such... transmission issue recall. Hit up the dealership and they update the TCM firmware to correct the issue.

GM also has done this before. Heck, the radio can come with features locked out (XM etc) that requires the dealer to plug in their tool and switch the input/function on before an after market satellite radio receiver will work (though honestly nearly all I've done over the years were never locked out)

Who would hack a car? (0)

Anonymous Coward | more than 2 years ago | (#39227061)

Q: how do you make a Chinese hacker blind? A: give him access to something with a windshield

But cars don't run Windows! (1)

ltkije (635596) | more than 2 years ago | (#39227063)

Brian Contos has something to sell you and isn't afraid to use FUD to better his chances. The CNN reporter isn't very good either -- obviously he understands buzzwords but not automotive electronics. Here's the deal... Your car built since the 1990s is loaded with at least a dozen embedded microprocessors, probably more. However, it is likely that at most two are running a mainstream operating system such as Linux or (much as I hate to say this) some form of MS Windows. Those two the "infotainment" and telematics or hands-free phone units. Everything else is a closed, closed, closed system. Even to reflash most automotive electronics requires specialized knowledge and equipment. This is done to keep 3rd party replacement gear out of the car as much as anything else.

So the risks come down to a) unusual combinations of inputs that cause unexpected consequences and b) downloadable apps. You can bet that the auto companies are working hard to prevent the first. If there's ever an "app store" for some car electronics, it will be far more tightly controlled than what's out there for smartphones, again as much for control of what gets into the vehicle as for security. Not that I would personally care to "compute-ify" my car, thank you.

The failures of TFA are that the McAfee guy is applying desktop OS assumptions to embedded systems, and the CNN reporter didn't actually talk to any car guys.

bluetooth car is unsafe (0)

Anonymous Coward | more than 2 years ago | (#39227249)

Your new car, the one with bluetooth, is unsafe.

Overhyped problem. (5, Interesting)

silverhalide (584408) | more than 2 years ago | (#39227287)

This article is crap. They only quote a CD-based infotainment attack which requires access to the vehicle, and an aftermarket system attack which was poorly engineered. They describe a TPMS DOS attack (RF interference from the sensors) that might make your check tires light come on. Boring.

Right now, if you car doesn't have a RF transceiver, there is nothing to worry about since gaining physical access to the network requires breaking into the vehicle.

If your car does have an RF link (bluetooth, cell phone), you're still relatively OK - infotainment systems as a rule are very segregated from the powertrain networks and usually only linked by a CAN bus that only supports some high level messaging. The Infotainment ECUs do not share the same CAN bus as the powertrain components and there is generally an ECU that acts as a "firewall" such that any DOS-style attacks on the infotainment CAN bus won't affect the other vehicle systems.

I will concede that vehicles with OnStar are a bit more concerning, as I think OnStar has more hooks into the rest of the systems, although I'm not sure how deep. So that is one to worry about...

There have been some attacks demonstrated against the outward facing systems where an attacker can mess with your radio, but the systems are architected such that an attacker needs physical access to the bus to do any real damage to a vehicle.

Here's a good discussion:
http://www.autosec.org/pubs/cars-usenixsec2011.pdf [autosec.org]

Re:Overhyped problem. (1)

Karlb (87776) | more than 2 years ago | (#39227509)

I was going to say the article is crap, but you said it much better... What the hell is with slashdot these days.

Moon is made of cheese says the Daily Mail. My mum reads that paper and isn't an astronomer. She is now sad! (yes I read the article, it's rubbish too)

Re:Overhyped problem. (0)

Anonymous Coward | more than 2 years ago | (#39228083)

This is the publication where they use a wire in the cab to hack the OnStar, install a custom firmware in it, then use the OnStar as a network bridge between the non-critical entertainment CAN and the safety-critical engine and brake management systems.

They were also able to put the brake controller into a test mode where it overrode driver input on the pedal disabling the brakes. They also were able to get the ECU to excite a wire that was hooked up in parallel to the ignition so even with the key off the vehicle still ran.

It's not overblown. http://www.autosec.org/pubs/cars-oakland2010.pdf [autosec.org]

Re:Overhyped problem. (1)

Pentium100 (1240090) | more than 2 years ago | (#39229525)

That requires physical access. With physical access you can also cut the brake lines and the result will be almost the same (well, cut brake lines will be notices quite soon, where you could probably program the custom firmware to only disable the brakes if, say, the driver slams on them (to avoid hitting something)).

However, a lot of people on /. suggest that cars should be aware of each other, forming some kind of wireless network. If that ever happens, remote exploits may become reality, since the software will have bugs. Get a high gain antenna and you'll be able to crash cars without being near them.

Re:Overhyped problem. (1)

SteveCheckoway (2587421) | more than 2 years ago | (#39229631)

That requires physical access.

It doesn't require physical access. I recommend reading at least the abstract of the paper before commenting.

Re:Overhyped problem. (2)

Pentium100 (1240090) | more than 2 years ago | (#39229739)

From what I read, they needed to connect an additional device to the car, which requires physical access. It is stated that the tested car has at least 5 wireless interfaces, but no attempt to take over the car using them was made.

Still, every time I read about something like this, I start liking my 1982 car even more. The only computer in it is the microcontroller of the tape deck. The tape deck is connected to the car only for power, speakers and antenna, so, if the tape deck can be taken over (I doubt it), the worst that the attacker could do is turn off the music.

Digital is not superior to analog by default (1)

Anonymous Coward | more than 2 years ago | (#39227317)

We seem to have this default assumption that if we can digitize something, we should. I'm no luddite, but we need to seriously examine this assumption. If something can be done mechanically in a time-tested and relatively simple way, there needs to be some serious reflection before we introduce a whole slew of new points of failure for the sake of a slick digital interface with touchscreens, ipod docks, and internet connections.

We seem incredibly eager to insert as many new complexities as possible, because a new car needs a new feature to make it superior to an old car. Nobody asks what the trade-offs are (there can't be any downsides to something that appears slicker and quicker, can there?) until a few hundred toyotas drive themselves into walls.

fearing lame tech is not Luddite (3)

dltaylor (7510) | more than 2 years ago | (#39227341)

The Luddites were workers being displaced by machines.

Regarding all technological "innovation" (which may, or may not, be useful "progress") with suspicion is not Luddite behavior, just sane, healthy skepticism. Being locked into a BMW, unable to lower the windows, provide any powered ventilation, or drive the car (or Ford Explorer, as a recent tester found), is the result of larding cars with cheap electronic gizmos without being required to put them through some really stringent testing. A glitch in your car's MP3 player that only makes it skip some songs is mildly annoying; if the MP3 player happens to be in control of pretty much everything ('cause why pay for more CPUs?) and same glitch causes it to execute some exploit code embedded in the MP3 (DX8 or 9), then you've got an utterly untrustworthy vehicle that should be banned from public thoroughfares. With MS building the stacks for some of these, I wonder how many "snoop your ride (be careful what you say/do when it has an internal microphone/camera)" back doors are in those systems, not to mention (although I will) the OnStar-style snoops.

I am not so worried about hacking (1)

livingboy (444688) | more than 2 years ago | (#39227579)

I think modern cars have same effect to driving skills than pocket calculators did to mathematical skills.

In the good old days people could do basic math in their heads, now they use calculators even for the simple math problems.

Old cars didn't have ABS brakes and traction control, you noticed quite quickly when road was slippery and also learned how to really drive a car.

Modern cars don't give similar warning, maybe some light flashes in dashboard telling you that traction control was needed, but you don't register that - this winter we have had lots of pile-ups here in Finland, people drove like it was summer as their modern cars didn't warn them enough that it is really really slippery and you should slow down a bit.

So in the good old days you really needed to learn how to drive a car, it didn't help you, now car has control over braking and throttle, you just steer and when pocket parking car does even that -> drivers don't understand physical laws like they used to do.

Re:I am not so worried about hacking (2)

biodata (1981610) | more than 2 years ago | (#39227843)

This. I have a friend in his mid 20s who has never driven a car without voice GPS, has never navigated in a car using only road signs and/or physical map, and wouldn't feel confident to drive anywhere he has never been before unless the GPS is working. I was shocked when he admitted this. It seems that giving control of something so fundamental as knowing where you are going over to something as inherently unreliable as a computer is dangerous, and I think the same is true of the vital mechanical functions of a car such as acceleration, deceleration and steering.

Re:I am not so worried about hacking (1)

Pentium100 (1240090) | more than 2 years ago | (#39228419)

You almost described me.

I use GPS to go somewhere where I hasn't been before (or only a couple times and the route is complicated). Usually, before going there, I plan the route on my PC, because sometimes the routing software picks out a route that I do not like (maybe I would like to go around a town, even if it adds 10km to my 200km trip), I also sometimes notice better routes than I have known before. My parents rarely use maps, just string along multiple partial routes ("if I want to get from point A to point C which is close to point B, then I go to point B and figure out how to get to point C from there") - routing software sometimes suggests more efficient routes, for example, I once drove to my friend, who lived near an edge of a bigger city. If I went using the partial routes, I would have had to go trough half of the city, the software suggested I go around the city. Not only I avoided the majority of that city, the route length was the same (or even a few km shorter).

Once I have been there a couple of times, I can usually remember the route and drive without GPS. I still use GPS when driving on the highway so I don't miss the exit, but if the receiver was not working, I still could go to my destination.

I am terrible with direction though. If you tell me how to get to you, I probably will only remember some of the directions and even those would be out of order.

It seems that giving control of something so fundamental as knowing where you are going over to something as inherently unreliable as a computer is dangerous

Not really. I always look at the (digital) map before going, so I know whether the directions the computer is giving me make sense. Also, if it fails completely, I can still drive using the road signs and ask for directions, but it's less convenient than GPS.

and I think the same is true of the vital mechanical functions of a car such as acceleration, deceleration and steering.

Now here I agree with you. If the software that controls acceleration, brakes and steering fails, I could be in a lot of trouble (compared to the mild annoyance of failed GPS). Fortunately, my car is old enough (made in 1982) to not use computers. Mechanical linkages control the throttle, steering and brakes. The only computer mounted in my car is the one that controls the tape deck.

Re:I am not so worried about hacking (1)

RealUlli (1365) | more than 2 years ago | (#39230567)

Once I have been there a couple of times, I can usually remember the route and drive without GPS. I still use GPS when driving on the highway so I don't miss the exit, but if the receiver was not working, I still could go to my destination

Same with me. An additional reason for me using GPS on long distance trips is traffic jams, or rather, getting warned of them in time, getting them evaluated about impact on route, and if necessary get an alternative routing.

Re:I am not so worried about hacking (1)

Pentium100 (1240090) | more than 2 years ago | (#39230623)

That would be nice, but where I live there is no such service.

Thanks, fellow slashdotters! (3, Interesting)

anubi (640541) | more than 2 years ago | (#39227625)

This thread has been an interesting read. You have reconfirmed my apprehension for newer automotive technologies.

Two of them, ABS braking and fuel injection ( with OBD2 ), I am all for. The rest of 'em though seem to me a design from Rube Goldberg.

Don't get me wrong. I love driving aids, especially GPS, and I love OBD2 that lets me see how the Engine Control Unit is faring.

I am a "control freak". I feel responsible for what my machine does. I want the assurance of a steel rod running from my steering wheel to the rack-and-pinion gearing steering the front tires, and knowing there is no way for anyone to instruct my car to ignore my steering commands. Same with the brakes - hydraulics. And acceleration/fuel for the engine - a cable linkage.

These, I understand, and have an inner feel for when anything is amiss.

"Drive by Wire" scares the hell out of me.

This whole thread gives me comfort knowing that I said the right thing to the repair garage a few months ago when they told me it was going to cost right at one thousand dollars to re-do the entire braking system on my nearly 40 year old toyota, that has hauled me nearly a half a million miles. They advised me it was an old car and not worth all that much. Well, maybe not to them, but I have come to really have a love for the simplicity of that old car. I had them redo the whole shebang - every cylinder, caliper, shoe, and hose. By golly, I consider the brakes the most critical part of the car. If ANYTHING works, the brakes will,

As one of the other posters noted, it is a great fear of mine too that "pranksters" will discover access pathways into a fancy car and wreak havoc by remote control, anonymously, just for the fun of watching the crash. Its the same thing that made "Winnuke" so popular back in the early internet days, when we found out we could send just one malicious packet to someone to give them the blue screen of death. We'd do it for the pure fun of it.

Although I like the new car's interiors, for now I will consider them a "rich man's toy" because they are so expensive to maintain.

As a side note, its not the cost that kills my enthusiasm, rather it is my impression of quality. I believe in getting good value for my money. I have even been spending $15-$20 for flashlights... ( Ultrafire WF-502B's with various P60 LED engine cartridges - and only WF-502B ) because these lights are made to last, and being the owner of a few laptops, I have plenty of the Lithium 18650 cells these lights use. I am hooked on those 18650 cells giving their second life powering things on the cell level ( 3.6 to 4.2 volts per cell ) when the laptop battery pack fails. Meanwhile I have plenty of little dollar-store LED lights, and have retrofitted my old filament-based D-cell flashlights with LED's

Most of the time, newer technology is better, but its not always the case.

Sometimes its just not "done" yet and other times it wasn't such a good idea in the first place but some marketer saw a buck in it.

Well, anyway, that's my take.

Re:Thanks, fellow slashdotters! (2)

Rick17JJ (744063) | more than 2 years ago | (#39229243)

I prefer the basic simplicity of the controls on many of the older vehicles. On my dad's old 1971 Volvo, I did not have to take my eyes off of the road to adjust the defroster, heater, air-conditioner, or radio. I knew where each knob and lever was, without looking, and could easily adjust them by feel.

I still drive a 20 year old pick-up truck which still runs reliably and looks like new. The controls are not as simple as the 1971 Volvo, but they are very simple compared to newer cars. My only criticism is that it has a few too many identical, closely spaced, buttons on the dash.

I do not have a GPS or On-Star. I open the door with a key. It has a 5-speed manual transmission, and I do not have power windows or power locks. The gauges are all analog. I can easily put it or out of 4 wheel drive or low range, by feel and sound, by using the lever on the floor (not buttons). The cruise control can be operated by feel, without looking.

I always wear my seatbelt, and I am not concerned about the lack of air-bags. Living in Arizona, where we do not get very much rain or snow, I am not concerned about the lack of ABS.

The AM/FM radio was unnecessarily complicated to operate while driving, so when it quit working about 15 years ago, I did not bother having it fixed. I preferred how, the radios in my two previous cars both had the far simpler old fashioned setup of just two large knobs and 5 push buttons. There was one push button for each of my favorite stations.

I have never owned a car with an automatic transmission and prefer having a stick shift. When driving an automatic, it bothers me, not having anything for my right arm and left foot to do when accelerating. It also makes driving boring when you can just press the gas peddle and the car or truck just goes.

Having just a large floor mat instead of carpeting is an advantage in the truck, because I can easily wipe away muddy footprints, with a damp cloth.

I hope to keep driving my simple old truck for many more years.

Re:Thanks, fellow slashdotters! (1)

Pentium100 (1240090) | more than 2 years ago | (#39229585)

The lack of ABS can be somewhat mitigated by driving slower if the road looks slippery (wet, snowy, iced over).

I also prefer manual transmission - one of the reasons is that it can be used to brake with the engine, in case the brakes fail. It also allows the car to be push started if the battery is too weak.

I have a modern tape deck (not a CD/MP3 player) and I use GPS when I need it.

Still, my 30 year old car is easy to understand and repair, so I too hope that I can continue driving it for many years. Since the car is modified to run on LPG, the fact that it is not as fuel efficient as newer cars is somewhat mitigated by the fact that LPG costs less than petrol.

Re:Thanks, fellow slashdotters! (1)

darkHanzz (2579493) | more than 2 years ago | (#39230011)

I do have a manual transmission (european, automatic is for whimps) Push-starting is not possible, however. The injection system is cpu-controlled, and needs a stable voltage to work. Besides, the car is too heavy to push anyway. Still, modern automatic transmissions (not the hydraulic ones) are close to being more fuel efficient than manuals. And automatic transmissions are especially convenient in rush-hour, with many start-crawl-stops.

Re:Thanks, fellow slashdotters! (1)

Pentium100 (1240090) | more than 2 years ago | (#39230063)

The injection system is cpu-controlled, and needs a stable voltage to work. Besides, the car is too heavy to push anyway.

While my car has an engine with a carburetor, it still needs the battery to operate the fuel line valves (the ones that select LPG or petrol). Still, it is quite possible that a battery can be too weak to turn the starter motor, but strong enough to supply the few amps to the valves (or in your case, the injection system).

Unless your car is a truck, being too heavy to push (what, 2000kg?) does not mean that push starting is not possible. It can still be possible to start the car if there are more people to push it or if it is on the top of a hill.

Re:Thanks, fellow slashdotters! (1)

adolf (21054) | more than 2 years ago | (#39230503)

Are you sure you can't push start your car?

I've never tried push-starting my E36, per se, but I've purposefully stalled the engine while in motion, coasted a bit, selected an appropriate gear, let the clutch out, and it sprung back to life.

I mean: There's nothing at all stable about a car that has the starter motor turning the engine over...

Re:Thanks, fellow slashdotters! (0)

Anonymous Coward | more than 2 years ago | (#39233449)

Automatics can be used for compression braking too, if they have manual gear selection. Just likely to not be as graceful during the downshift...

Re:Thanks, fellow slashdotters! (0)

Anonymous Coward | more than 2 years ago | (#39230133)

My newish (almost 5 years now) car has big buttons and dials you can use without looking at them. It has "analog" dials ("analog" in almost anything in the last 20ish years probably being computer-controlled). It has large push buttons and a gigantic volume knob for the radio. Door opens with a key. No GPS. Cruise control can be operated without looking.

Re:Thanks, fellow slashdotters! (1)

adolf (21054) | more than 2 years ago | (#39230227)

I drive a 17 year old BMW. It no longer looks new. I bought it inexpensively a half-dozen years ago.

It has a dizzying array of buttons and functions.

I don't generally use them for anything, though the digital voltmeter function is handy for diagnosing electrical problems.

The heater controls have the correct amount of automatic-ness. All I have to do is pick a fan speed using the big knob on the left (clockwise==more, counterclockwise==less, culminating in off), and the direction of airflow using the big knob on the right (12 o'clock==defrost). Temperature is controlled thermostatically and doesn't need fucked with once set.

The windows are electric, and the controls are next to the gearshift, which is way better than having either a crank or a switch on the door. Push gently to raise or lower the window, push harder (just once) to raise or lower it all the way.

On a nice summer day, it goes like this: Unlock car, get in, start car, push the four window buttons one time to let the breeze in, engage a gear and go. Simple.

I hope to keep driving my simple old BMW for many more years.

Your mom is not a Luddite (-1)

Anonymous Coward | more than 2 years ago | (#39228067)

If she were a Luddite she wouldn't be "reading CNN". Luddites don't surf the web.

Sandboxing new cars (1)

RogueWarrior65 (678876) | more than 2 years ago | (#39231209)

Not to worry. All new cars will be sandboxed so you can only use a professional driver on a closed course. Goofy, you say? Sure, but you can always take mass transit to work.

BRILLIANT! REGULAR SOFTWARE UPDATES! (1)

bacon.frankfurter (2584789) | more than 2 years ago | (#39232393)

The kind that require an "always on" internet connection? Yes, let's increase the exposure of our vehicles. Surely it's better to increase the network availability of an already vulnerable system. Wouldn't want to lock down all radio-based vectors of attack at all. I mean, I know I'll be checking the logs and monitoring the spectrum for transmissions to and from my car, 24/7. That sounds safe.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?